CN115189885A - Method for authenticating equipment login, storage medium and electronic equipment - Google Patents
Method for authenticating equipment login, storage medium and electronic equipment Download PDFInfo
- Publication number
- CN115189885A CN115189885A CN202210646121.8A CN202210646121A CN115189885A CN 115189885 A CN115189885 A CN 115189885A CN 202210646121 A CN202210646121 A CN 202210646121A CN 115189885 A CN115189885 A CN 115189885A
- Authority
- CN
- China
- Prior art keywords
- information
- request message
- server
- user
- credential
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1095—Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
Abstract
The invention discloses a method for logging in an authentication device, a storage medium and an electronic device. Wherein, the method comprises the following steps: sending a first request message to first equipment, wherein the first request message is used for requesting to acquire credential information; receiving a first response message from the first device, wherein information carried in the first response message includes: credential information; sending a first access request message to a server, wherein the information carried in the first access request message comprises: signature information, the signature information generated based on the credential information. The invention solves the technical problem that the method for carrying out password-free authentication based on FIDO2 in the prior art can not realize the synchronization of authentication certificates on different devices.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a method for authenticating equipment login, a storage medium and electronic equipment.
Background
However, the password authentication method has many known security problems, so that attempts are currently made to reduce or remove the password authentication function in many application scenarios, and password-less authentication gradually becomes a more widely used user authentication method.
In the related art, the most common protocol for non-password authentication is the international standard FIDO2 established by the Fast Identity Online (FIDO) alliance. The FIDO2 protocol may be used to ensure the secure login of the user, and may support login authentication of the user using a biometric feature (such as a fingerprint, a facial feature, a voice, etc.) or an external security key (such as a USB security key).
However, the password-less authentication method using the FIDO2 protocol has drawbacks in that: the FIDO credentials cannot be synchronized across different devices. In particular, the FIDO public and private key pair is stored on the user equipment to support the user to access the server or the application in a password-free authentication mode. When the user changes the device, the new user device does not have a FIDO public and private key pair, and when the user uses the new user device to access the server or the application, password authentication is still needed.
In view of the above problems, no effective solution has been proposed.
Disclosure of Invention
The embodiment of the invention provides a method for logging in an authentication device, a storage medium and an electronic device, which at least solve the technical problem that the method for carrying out password-free authentication based on FIDO2 in the prior art cannot realize the synchronization of authentication certificates on different devices.
According to an aspect of an embodiment of the present invention, a method for authenticating device login is provided, including: sending a first request message to first equipment, wherein the first request message is used for requesting to acquire credential information; receiving a first response message from the first device, wherein information carried in the first response message includes: credential information; sending a first access request message to a server, wherein the information carried in the first access request message comprises: signature information, the signature information generated based on the credential information.
According to another aspect of the embodiments of the present invention, there is also provided a method for authenticating device login, including: receiving a first access request message from a second device, wherein information carried in the first access request message includes: the signature information is generated based on the certificate information acquired by the second equipment; and verifying the signature information. According to another aspect of the embodiments of the present invention, there is also provided a method for authenticating device login, including: receiving a first request message from the second device, wherein the first request message is used for requesting to acquire credential information; sending a first response message to the second device, wherein the information carried in the first response message includes: credential information.
According to another aspect of the embodiments of the present invention, there is also provided an apparatus for authenticating device login, including: the device comprises a first sending module, a first receiving module and a second sending module, wherein the first sending module is used for sending a first request message to first equipment, and the first request message is used for requesting to acquire credential information; a receiving module, configured to receive a first response message from a first device, where information carried in the first response message includes: credential information; a second sending module, configured to send a first access request message to a server, where information carried in the first access request message includes: signature information, the signature information generated based on the credential information.
According to another aspect of the embodiments of the present invention, there is also provided a computer-readable storage medium, where the computer-readable storage medium includes a stored program, and when the program runs, the apparatus where the computer-readable storage medium is located is controlled to execute any one of the above methods for authenticating a login of an apparatus.
According to another aspect of the embodiments of the present invention, there is also provided an electronic device, including: a processor; and a memory, coupled to the processor, for providing instructions to the processor for processing the following processing steps: sending a first request message to a first device, wherein the first request message is used for requesting to acquire credential information; receiving a first response message from the first device, wherein information carried in the first response message includes: credential information; sending a first access request message to a server, wherein the information carried in the first access request message comprises: signature information, the signature information generated based on the credential information.
In the embodiment of the present invention, a first request message is sent to a first device, where the first request message is used to request to acquire credential information, and a first response message from the first device is received, where information carried in the first response message includes: the method comprises the steps of obtaining credential information, and further sending a first access request message to a server, wherein the information carried in the first access request message comprises: the signature information is generated based on the certificate information, so that the aim of carrying out password-free authentication on the current equipment by synchronizing the certificate information with the target equipment is fulfilled, the technical effect of synchronizing the password-free authentication certificates on different equipment is realized, and the technical problem that the authentication certificates cannot be synchronized on different equipment by a method for carrying out password-free authentication based on FIDO2 in the prior art is solved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:
FIG. 1 is a diagram of a non-password authentication component corresponding to a FIDO2 protocol according to the prior art;
FIG. 2 is a schematic diagram of a pre-configuration flow for password-less authentication, according to the prior art;
FIG. 3 is a schematic diagram of an authenticator registration process without password authentication according to the prior art;
FIG. 4 is a schematic diagram of a user password-less authentication process according to the prior art;
fig. 5 shows a hardware configuration block diagram of a computer terminal (or mobile device) for implementing a method of authenticating device login;
FIG. 6 is a flow chart of a method of authenticating a device login in accordance with an embodiment of the present invention;
FIG. 7 is a flow diagram of another method of authenticating a device login in accordance with an embodiment of the present invention;
FIG. 8 is a flow diagram of another method of authenticating a device login in accordance with an embodiment of the present invention;
FIG. 9 is a schematic diagram of an alternative key synchronization process according to an embodiment of the invention;
FIG. 10 is a schematic diagram of an alternative key synchronization flow according to an embodiment of the invention;
FIG. 11 is a schematic diagram of an alternative authentication device login process according to an embodiment of the invention;
FIG. 12 is a schematic diagram of an alternative authentication device login process according to an embodiment of the invention;
FIG. 13 is a schematic diagram of an alternative authentication device login process according to an embodiment of the invention;
fig. 14 is a schematic structural diagram of an apparatus for authenticating device login according to an embodiment of the present invention;
fig. 15 is a schematic structural diagram of another apparatus for authenticating device login according to an embodiment of the present invention;
fig. 16 is a schematic structural diagram of another apparatus for authenticating device login according to an embodiment of the present invention;
fig. 17 is a schematic structural diagram of another apparatus for authenticating device login according to an embodiment of the present invention;
fig. 18 is a block diagram of another configuration of a computer terminal according to an embodiment of the present invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Moreover, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
First, some terms or terms appearing in the description of the embodiments of the present invention are applicable to the following explanations:
fast Identity Online specification (Fast Identity Online 2, FIDO2 for short): standard public key encryption techniques are used instead of shared secrets to provide more robust authentication and protection against phishing and channel attacks. FIDO2 is an open industry standard for online and digital verification.
Example 1
There is also provided, in accordance with an embodiment of the present invention, an embodiment of a method for authenticating a device login, including the steps illustrated in the flowchart of the figure, which may be implemented in a computer system, such as a set of computer-executable instructions, and although a logical order is illustrated in the flowchart, in some cases, the steps illustrated or described may be performed in an order different than presented herein.
In the related art, the most common protocol for the password-less authentication method is the FIDO2 protocol. Fig. 1 is a schematic diagram of a password-less authentication component corresponding to the FIDO2 protocol in the prior art, and as shown in fig. 1, a user can access a remote server through a client on a user device (e.g., a computer, a smart phone, etc.), and the server authenticates the user. The process of authenticating the user by the server may include: pre-configuration, authenticator registration, user password-less authentication, etc.
It should be noted that the user equipment includes an authenticator and a client, however, the interaction between the authenticator and the client is not embodied.
Fig. 2 is a schematic diagram of a pre-configuration process of password-less authentication according to the prior art, and as shown in fig. 2, before performing password-less authentication on a user, an authenticator certificate may be configured on an authenticator of a user device, and a FIDO public key corresponding to the password-less authentication may be configured on a server.
Fig. 3 is a schematic diagram of an authenticator registration process without password authentication according to the prior art, and as shown in fig. 3, the authenticator registration process includes:
step E31, the user accesses the server through the user equipment and adopts a user name and a password for authentication;
step E32, the server sends a message 1 to the user equipment, wherein the message 1 carries: a challenge, a server identifier, user information, and the like, where the server identifier is used to identify a server or an application accessed by a user, the user information is used to identify the user (which may include a user name or a user identifier, and the like), and the challenge may be a random number (in this example, the challenge is different each time the server sends to the user device);
step E33, after the user equipment receives the message 1, determining that the user agrees to use one of password-free authentication, biometric authentication, multi-factor authentication and second factor authentication, wherein the user can input authorization information (such as fingerprints or facial biometric information, a screen unlocking password, an equipment password, a personal identification code and other credentials) for verification, and the user equipment stores the authorization information;
step E34, the user equipment produces an FIDO public and private key pair, wherein the FIDO public and private key pair is used for user authentication when the user accesses the server or the application;
step E35, the user equipment sends a message 2 to the server, wherein the message 2 carries: the user equipment signs the message 2 by adopting an FIDO private key in the authenticator and then sends the message 2 and the signature corresponding to the message 2 to the server;
and step E36, after receiving the message 2, the server verifies the signature sent by the user equipment by using the FIDO public key corresponding to the message 2, and if the verification is successful, the FIDO public key is stored.
It is readily noted that through the authenticator registration process, the authenticator of the user equipment can produce an FIDO public-private key pair, and the authenticator can transmit the FIDO public key to the server. The FIDO public key may be used to enable password-less authentication when the user accesses the server again.
It should be noted that the user equipment may generate different FIDO public and private key pairs for different servers or applications, and the user equipment may also generate different FIDO public and private key pairs for different users.
It should be noted that, when the user equipment sends a message to the server, the FIDO private key of the authenticator may be used to sign the message to be sent, and the message and the signature are sent to the server; the server may verify the signature of the message using the FIDO public key of the authenticator.
Fig. 4 is a schematic diagram of a user password-less authentication process according to the prior art, and as shown in fig. 4, the user password-less authentication process includes:
step E41, the user accesses the server through the user equipment and submits user information;
step E42, the server sends a message 3 to the user equipment, wherein the message 3 carries information such as challenge and the like;
step E43, the user equipment acquires authorization information (including fingerprint or facial biological characteristic information, screen unlocking password, equipment password, personal identification code and other credentials) from the user, and the user equipment stores the authorization information;
step E44, the user equipment verifies the authorization information, and if the authorization information is verified, the user equipment can authenticate the user;
step E45, the user equipment signs the received message 3 by using the FIDO private key and sends the signature to the server, and the user equipment selects the corresponding FIDO private key according to the server information, the user information and the like;
and E46, the server verifies the signature by using the FIDO public key, and if the signature passes the verification, the user authentication is determined to be successful.
However, the drawback of using the above-mentioned FIDO2 protocol-based password-less authentication method is that: the FIDO credentials cannot be synchronized across different devices. In particular, the FIDO public and private key pair is stored on the user equipment to support the user to access the server or the application in a password-free authentication mode. When the user changes the device, the new user device does not have a FIDO public and private key pair, and when the user uses the new user device to access the server or the application, password authentication is still needed.
In view of the above problems, no effective solution has been proposed.
The method embodiment provided by the first embodiment of the present invention may be executed in a mobile terminal, a computer terminal, or a similar computing device. Fig. 5 shows a hardware configuration block diagram of a computer terminal (or mobile device) for implementing a method of authenticating device login. As shown in fig. 5, the computer terminal 10 (or mobile device 10) may include one or more (shown with 102a,102b, \8230; 102 n) processors 102 (processor 102 may include, but is not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA, etc.), a memory 104 for storing data, and a transmission device 106 for communication functions. Besides, the method can also comprise the following steps: a display, a keyboard, a cursor control device (such as a mouse), an input/output interface (I/O interface), a Universal Serial BUS (USB) port (which may be included as one of the ports of the BUS), a network interface, a power source, and/or a camera. It will be understood by those skilled in the art that the structure shown in fig. 5 is only an illustration and is not intended to limit the structure of the electronic device. For example, the computer terminal 10 may also include more or fewer components than shown in FIG. 5, or have a different configuration than shown in FIG. 5.
It should be noted that the one or more processors 102 and/or other data processing circuitry described above may be referred to generally herein as "data processing circuitry". The data processing circuitry may be embodied in whole or in part in software, hardware, firmware, or any combination thereof. Further, the data processing circuit may be a single stand-alone processing module, or incorporated in whole or in part into any of the other elements in the computer terminal 10 (or mobile device). As referred to in the embodiments of the invention, the data processing circuit acts as a processor control (e.g. selection of a variable resistance termination path connected to the interface).
The memory 104 may be used to store software programs and modules of application software, such as program instructions/data storage devices corresponding to the method for authenticating device login in the embodiment of the present invention, and the processor 102 executes various functional applications and data processing by running the software programs and modules stored in the memory 104, that is, implements the above-mentioned method for authenticating device login. The memory 104 may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory located remotely from the processor 102, which may be connected to the computer terminal 10 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 106 is used for receiving or transmitting data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the computer terminal 10. In one example, the transmission device 106 includes a Network adapter (NIC) that can be connected to other Network devices through a base station to communicate with the internet. In one example, the transmission device 106 may be a Radio Frequency (RF) module, which is used to communicate with the internet via wireless.
The display may be, for example, a touch screen type Liquid Crystal Display (LCD) that may enable a user to interact with a user interface of the computer terminal 10 (or mobile device).
It should be noted here that in some alternative embodiments, the computer device (or mobile device) shown in fig. 5 above may include hardware elements (including circuitry), software elements (including computer code stored on a computer-readable medium), or a combination of both hardware and software elements. It should be noted that fig. 5 is only one example of a particular specific example and is intended to illustrate the types of components that may be present in the computer device (or mobile device) described above.
Under the operating environment, the invention provides a method for authenticating the login of the device as shown in fig. 6. The method for authenticating the equipment login is operated in the second equipment which requests to acquire the certificate information. Fig. 6 is a flowchart of a method for authenticating a device login according to an embodiment of the present invention, where as shown in fig. 6, the method for authenticating a device login includes:
step S61, sending a first request message to the first device, wherein the first request message is used for requesting to acquire credential information; ,
step S62, receiving a first response message from the first device, where information carried in the first response message includes: credential information;
step S63, sending a first access request message to the server, wherein the information carried in the first access request message includes: signature information, the signature information generated based on the credential information.
Optionally, the first device may be another device of the current user storing the FIDO credential (e.g., another device of the current user or a third-party device, etc.). The credential information may be a FIDO credential. The first request message is used for requesting the first device to acquire the FIDO credential. The first response message may be used to return credential information corresponding to the first request message.
Optionally, the current device (corresponding to a second device requesting to obtain credential information) sends the first request message to another device of the current user storing the FIDO credential; the other equipment can return a first response message to the current equipment after receiving the first request message; the current device may obtain the FIDO credential from the returned first response message, generate signature information based on the FIDO credential, and send a first access request message carrying the signature information to the server to request access to the server.
It is easy to note that, by the method provided in the above-mentioned alternative embodiment, the FIDO credentials can be synchronized between different devices, thereby supporting the user to perform password-less authentication on different devices.
It should be noted that the method for authenticating device login provided by the present invention can be applied to any application scenario involving password-free user authentication based on FIDO2, but is not limited thereto.
In the embodiment of the present invention, a first request message is sent to a first device, where the first request message is used to request to acquire credential information, and a first response message from the first device is received, where information carried in the first response message includes: the method comprises the steps of obtaining credential information, and further sending a first access request message to a server, wherein the information carried in the first access request message comprises: the signature information is generated based on the certificate information, so that the aim of performing password-free authentication on the current equipment (which is equivalent to the second equipment requesting to acquire the certificate information) by synchronizing the certificate information with the target equipment is fulfilled, the technical effect of synchronizing the password-free authentication certificates on different equipment is achieved, and the technical problem that the authentication certificates cannot be synchronized on different equipment by a method for performing password-free authentication based on FIDO2 in the prior art is solved.
In an optional embodiment, in the method of authenticating a device login, the credential information includes at least one of: server identification, user information, first key information and authorization information. In an alternative embodiment, in the method of authenticating a device login, the server identification is for at least one of: identifying a server, identifying a service on the server, information needed to access the server, and information needed to access the service on the server; the user information includes: a user name or user identification; the first key information includes at least one of: the first public key, the first private key and the first key identification; the authorization information includes at least one of: fingerprint information, face information, passwords, personal identification numbers.
Alternatively, the first key information may be an FIDO key. The FIDO key may be at least one of a FIDO public key, a FIDO private key, and a FIDO key identification.
Optionally, the authorization information is used to authorize the current device (corresponding to the second device requesting to obtain the credential information) to access the server (or a service on the server). The authorization information may be at least one of fingerprint information, face information, a password, and a personal identification number.
In an optional embodiment, in the method for authenticating device login, the information carried in the first access request information further includes at least one of the following: user information, server identification.
Optionally, the first access request information sent by the current device (which is equivalent to the second device requesting to obtain the credential information) to the server may carry user information and/or a server identifier, where the user information is used to determine identity information of a user corresponding to the current device, and the server identifier is used to determine a server (or a service on the server) to be accessed.
In an optional embodiment, after receiving the first response message from the first device, the method for authenticating device login further comprises at least one of the following steps:
step S64, using the second key information to execute decryption operation on the first response message;
step S65, integrity verification is performed on the first response message by using the second key information.
In an optional embodiment, in the method for authenticating device login, the second key information includes one of: authorization information, a key generated based on the authorization information.
Optionally, the second key information may include authorization information or a key generated based on the authorization information. In an actual application scenario, the second key information may also be an authenticator public key corresponding to a current device (corresponding to a second device requesting to obtain credential information) or a key generated by information input in advance by a user.
Optionally, the performing of the decryption operation on the first response message by using the second key information may be analyzing the first response message based on the second key information to obtain credential information carried in the first response message.
Optionally, the integrity verification of the first response message by using the second key information may be to analyze the first response message based on the second key information, and further perform integrity verification on credential information carried in the first response message to determine the credential information.
In an actual application scenario, the performing a decryption operation on the first response message by using the second key information and performing integrity verification on the first response message by using the second key information may be: the user equipment 1 adopts an authenticator FIDO public key of the user equipment 2 to carry out encryption protection processing and/or integrity protection processing on a certificate or a certificate set to be transmitted; after receiving the credential or credential set sent by the user equipment 1, the user equipment 2 performs decryption processing and/or integrity verification processing using the FIDO private key of the authenticator, to obtain user FIDO credential information.
In an actual application scenario, the second key information is used to perform a decryption operation on the first response message and perform integrity verification on the first response message, which may also be: the user equipment 1 adopts the authorization information or the password generated by the authorization information to carry out encryption protection processing and/or integrity protection processing on the certificate or the certificate set to be transmitted; after receiving the credential or credential set sent by the user device 1, the user device 2 performs decryption processing and/or integrity verification processing using the password generated by the authorization information or the authorization information, to obtain the FIDO credential information of the user. The user device 2 needs to obtain authorization information from the user before performing decryption or integrity verification.
In an actual application scenario, the decrypting operation is performed on the first response message by using the second key information, and the integrity verification is performed on the first response message by using the second key information, which may also be: the user device 1 requests the user to enter a transmission key or biometric information before transmitting the credential or set of credentials. The user device 1 uses the transmission key or the key generated from the biometric feature to perform an encryption protection process and/or an integrity protection process on the credential or the set of credentials. After receiving the credential or the credential set sent by the user equipment 1, the user equipment 2 requests the user to input a transmission key or biometric information, and performs decryption processing and/or integrity verification processing on the credential or the credential set by using the transmission key or a key generated according to the biometric characteristic to obtain the FIDO credential information of the user. In an optional embodiment, before sending the first request message to the first device, the method for authenticating device login further includes the following steps:
and S66, establishing a transport layer secure connection with the first equipment, wherein the transport layer secure connection is used for providing security protection for message transmission with the first equipment.
The Transport Layer Security (TLS) connection described above may provide TLS protection for credential information.
The first device may be another device of the current user storing the FIDO credentials. The FIDO credential transmission between the first device and the current device can be secured by establishing a transport layer secure connection between the current device (corresponding to the second device requesting to obtain credential information) and the first device.
Through the optional embodiment, the transmission of the password-free authentication credentials among different devices is protected based on TSL protection or based on a key generated by TLS, and the transmission process has higher security.
In an optional embodiment, before sending the first request message to the first device, the method for authenticating device login further includes the following steps:
step S67, sending a second access request message to the server, wherein the information carried in the second access request includes at least one of the following: the capability indication is used for indicating that the second equipment supports a non-password authentication mode, and the information of the second equipment comprises at least one of the following: an identification of the second device, an internet protocol address of the second device, a name of the second device.
Step S68, receiving a challenge message from the server, wherein the information carried in the challenge message includes: challenge information.
Alternatively, the current device (corresponding to the second device requesting to obtain the credential information) may send a second access request message to the server. The server is a server, service or application to be accessed by the user. The second access request message may carry: an indication of a capability of the current device to support a password-less authentication mode, and/or information of the second device. Optionally, the current device (corresponding to the second device requesting to obtain the credential information) may also obtain challenge information corresponding to the capability indication from the server. The challenge information corresponds to the first device.
In an optional embodiment, in the method for authenticating device login, the information carried in the challenge message further includes: information of the first device, wherein the information of the first device includes at least one of: an identification of the first device, an internet protocol address of the first device, a name of the first device.
In an optional embodiment, in the method for authenticating device login, the signature information is generated based on the credential information, and includes: the signature information is generated using credential information and challenge information.
Optionally, after the current device acquires credential information synchronized from the target device, the current device may perform signature processing on the challenge information by using the credential information, so as to obtain the signature information. The challenge information corresponds to the first device.
Optionally, the current device may send signature information obtained by performing signature processing on the challenge information to the target server, so that the target server performs login authentication on the signature information. The target server is a server, service or application to be accessed by the user.
Under the operating environment, the invention provides a method for authenticating equipment login as shown in fig. 7. The method for logging in the authentication equipment is operated on the first equipment stored with the credential information. Fig. 7 is a flowchart of another method for authenticating device login according to an embodiment of the present invention, and as shown in fig. 7, the method for authenticating device login includes:
step S71, receiving a first access request message from the second device, where information carried in the first access request message includes: the signature information is generated based on the certificate information acquired by the second equipment;
step S72, the signature information is verified.
In an optional embodiment, before receiving the first access request message of the second device, the method for authenticating the login of the device further includes the following steps:
step S73, receiving a second access request message from the second device, where information carried in the second access request message includes: the capability indication is used for indicating that the second equipment supports a non-password authentication mode, and the information of the second equipment comprises at least one of the following: an identification of the second device, an internet protocol address of the second device, a name of the second device.
In an optional embodiment, after receiving the second access request message, the method for authenticating the device login further includes the following steps:
step S74, sending a challenge message to the second device, where the information carried in the challenge message includes: challenge information.
In an optional embodiment, in the method for authenticating device login, the information carried in the challenge message further includes: information of at least one first device, wherein the information of the first device comprises: an identification of the first device, an internet protocol address of the first device, a name of the first device.
In an alternative embodiment, in step S72, the login verification of the signature information includes: and verifying the signature information by adopting the certificate information.
In the embodiment of the present invention, a first access request message from a second device is received, where information carried in the first access request message includes: and the signature information is generated based on the certificate information acquired by the second equipment, and is further verified.
It is easy to note that, in the process of performing the synchronization of the credential information with the target device to perform the password-less authentication on the current device, after the target device storing the credential information receives the first access request message for acquiring the credential information, the credential information is used to verify the first access request message, thereby achieving the technical effect of improving the security and accuracy of the synchronized password-less authentication credentials on different devices.
Under the operating environment, the invention provides a method for authenticating the login of the device as shown in fig. 8. The method for logging in the authentication equipment is operated on the first equipment stored with the credential information. Fig. 8 is a flowchart of another method for authenticating a device login according to an embodiment of the present invention, and as shown in fig. 8, the method for authenticating a device login includes:
step S81, receiving a first request message from the second device, wherein the first request message is used for requesting to acquire credential information;
step S82, sending a first response message to the second device, where the information carried in the first response message includes: credential information.
In an optional embodiment, in the method of authenticating a device login, the credential information includes at least one of: server identification, user information, first key information and authorization information.
In an alternative embodiment, in the method of authenticating a device login, the server identification is for at least one of: an identification server, a service on the identification server, an access server, a service on the access server; the user information includes: a user name or user identification; the first key information includes at least one of: the first public key, the first private key and the first key identification; the authorization information includes at least one of: fingerprint information, face information, passwords, personal identification codes.
In an optional embodiment, before receiving the first request message from the second device, the method for authenticating device login further includes the following steps:
step S83, receiving credential information from the first device.
In an optional embodiment, before sending the first response message to the second device, the method for authenticating device login further includes the following steps:
step S84, obtaining the authorization information.
In the embodiment of the present invention, a first request message from a second device is received, where the first request message is used to request to acquire credential information, and a first response message is further sent to the second device, where information carried in the first response message includes: credential information.
It is easy to notice that, in the process of synchronizing the credential information with the target device to perform the password-less authentication on the current device, after the target device storing the credential information receives the first access request message for acquiring the credential information, the target device sending the first response message carrying the credential information to the current device requesting to acquire the credential information achieves the purpose of performing the password-less authentication on the current device by synchronizing the credential information with the target device, thereby achieving the technical effect of synchronizing the password-less authentication credentials on different devices, and further solving the technical problem that the method for performing the password-less authentication based on FIDO2 in the prior art cannot achieve the synchronization of the authentication credentials on different devices.
Fig. 9 is a schematic diagram of an alternative key synchronization process according to an embodiment of the present invention, as shown in fig. 9, a user device 1 is a device storing a user FIDO credential, a user device 2 is a device currently used by a user and needing to access a server, and the user device 2 does not store the user FIDO credential. The user equipment 2 may obtain the FIDO credentials directly from the user equipment 1 by the following key synchronization procedure:
step E91, the ue 2 sends a credential request message to the ue 1, where the credential request message may carry: user information, server identification, device information (such as device name, device identification, etc.) of the user device 2, etc.;
step E92, the user equipment 1 obtains authorization information from the user;
step E93, the user equipment 1 verifies the authorization information to obtain a verification result;
step E94, if the authentication is passed, the user equipment 1 sends a credential response message to the user equipment 2, where the credential response message may carry: user information, a server identification, a FIDO credential, wherein the FIDO credential may be a credential set comprising a plurality of credentials, each of the plurality of credentials for authenticating a user when the user accesses a server or an application.
It should be noted that the credential request message sent by the user equipment 2 to the user equipment 1 in step E91 corresponds to the credential response message sent by the user equipment 1 to the user equipment 2 in step E94. Fig. 10 is a schematic diagram of another alternative key synchronization process according to the embodiment of the present invention, as shown in fig. 10, the user device 1 is a device storing FIDO credentials of a user; the user equipment 2 is the equipment which is used by the user currently and needs to access the server, and the FIDO certificate of the user is not stored in the user equipment 2; the third party device is a device which acquires and stores the FIDO credential of the user from the user device 1 in advance. The user device 2 may obtain the FIDO credentials indirectly from the third party device through the following key synchronization procedure:
step E101, the third-party equipment acquires the FIDO credential information of the user from the user equipment 1;
step E102, the user equipment 2 sends a credential request message to the third party equipment, where the credential request message may carry: user information, server identification, device information (such as device name, device identification, etc.) of the user device 2, etc.;
step E103, the third party device sends a credential response message to the user device 2 after receiving the credential request message, where the credential response message may carry: the method comprises the steps of user information, a server identification and an FIDO credential, wherein the FIDO credential can be a credential set, the credential set comprises a plurality of credentials, and each credential of the plurality of credentials is used for authenticating a user when the user accesses a server or an application;
step E104, the user equipment 2 obtains the authorization information from the user and performs user authentication.
It should be noted that the credential request message sent by the user equipment 2 to the third party equipment in step E102 corresponds to the credential response message sent by the third party equipment to the user equipment 2 in step E103. The FIDO credential information of the user, which is acquired from the user equipment 1 in step E101 by the third party equipment, at least includes credential information corresponding to the credential request message and the credential response message.
Still as shown in fig. 9, the above-mentioned step E92 and step E93 may be a process of acquiring user license. Other ways of obtaining user permission may also be: the user equipment 1 displays a transmission permission request to the user, which may include credential information to be transmitted, device information of the user equipment 2, and the like; and determining to acquire user permission if the user clicks the consent.
Still as shown in fig. 10, the above-described step E101 and step E104 may be a process of acquiring a user license. Other ways of obtaining user permission may also be: the third party device sends a transmission permission request message to the user, wherein the transmission permission request message may include the credential information to be transmitted, the device information of the user device 2, and the like; and the user returns the transmission permission message and then determines to acquire the user permission.
Fig. 11 is a schematic diagram of an alternative authentication device login process according to an embodiment of the present invention, and as shown in fig. 11, the authentication device login process may include:
step E111, the user sends an access request message to the server through the user equipment 2, wherein the access request message carries: user information, capability indication 1 (for indicating one of password-less authentication mode, biometric authentication, multi-factor authentication, second-factor authentication, and FIDO2 protocol supported by the user equipment 2), and device information (such as device name, device identification, and the like) of the user equipment 2;
step E112, if the server receives the capability indication 1, sending challenge information to the user equipment 2 according to the access request message, or if the server does not receive the capability indication 1, sending a message for inputting a password to the user equipment 2, or if the server does not store the device information of the user equipment 2, sending the device information (such as a device name, a device identifier, and the like) of the user equipment 1 to the user equipment 2;
step E113, the user equipment 2 obtains authorization information from the user;
step E114, executing the key synchronization procedure shown in fig. 9, so that the user equipment 2 obtains the FIDO credential (at least including the FIDO private key for authenticating the user);
step E115, the user equipment 2 signs the challenge information sent by the server by using the FIDO private key and sends the signature information to the server;
and step E116, the server verifies the signature information by using the FIDO public key, and if the verification is successful, the user authentication is determined to be successful.
Optionally, in the step E116, after the user authentication is successful, at least one of the following updating steps may be performed on the server:
step E1161, deleting the device information of the user device 1 stored in the server;
step E1162, storing the device information of the user device 2 in the server;
step E1163, the server sends an update request message to the user equipment 2, and receives an update response message returned by the user equipment 2, where the update request message is used to request the user equipment 2 to register or produce a new FIDO public and private key pair, and the update response message is used to obtain the new FIDO public and private key pair for user authentication or signature verification.
It should be noted that, after performing step E1163 on the server, the user equipment 2 receives the update request message, may obtain authorization information from the user and regenerate the FIDO public and private key pair, and send the regenerated FIDO public and private key pair to the server.
Fig. 12 is a schematic diagram of another alternative authentication device login process according to an embodiment of the present invention, as shown in fig. 12, in the authentication device login process, before accessing the server, the user device 2 may first obtain a credential or a credential set from the user device 1 by using the key synchronization process shown in fig. 9, and then perform password-less authentication on the user by using the user password-less authentication process shown in fig. 4.
Optionally, after the server shown in fig. 12 performs the verification signature, at least one of the updating steps of the above steps E1161 to E1163 may also be performed.
Fig. 13 is a schematic diagram of another alternative authentication device login process according to an embodiment of the present invention, as shown in fig. 13, in the authentication device login process, before accessing the server, the user device 2 may first obtain a credential or a credential set from a third party device by using the key synchronization process shown in fig. 10, and then perform password-less authentication on the user by using the user password-less authentication process shown in fig. 4.
It is easy to note that, with the method provided by the embodiment of the present invention, when (or before) a user uses a current device that does not store credential information to perform authentication login, credential information to be used is synchronized from a target device that stores credential information, so that password-less authentication can still be performed when the user uses a new device.
Therefore, the beneficial effects of the invention are as follows: the aim of carrying out password-free authentication on the current equipment by synchronizing the certificate information with the target equipment is fulfilled, so that the technical effect of synchronizing the password-free authentication certificates on different equipment is realized, and the technical problem that the method for carrying out password-free authentication based on FIDO2 in the prior art cannot realize the synchronization of the authentication certificates on different equipment is solved
It should be noted that for simplicity of description, the above-mentioned method embodiments are shown as a series of combinations of acts, but those skilled in the art will recognize that the present invention is not limited by the order of acts, as some steps may occur in other orders or concurrently in accordance with the invention. Further, those skilled in the art will appreciate that the embodiments described in this specification are presently preferred and that no acts or modules are required by the invention.
Through the above description of the embodiments, those skilled in the art can clearly understand that the method according to the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but the former is a better implementation mode in many cases. Based on such understanding, the technical solutions of the present invention or portions thereof contributing to the prior art may be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (which may be a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present invention.
Example 2
According to an embodiment of the present invention, there is further provided an apparatus for implementing the method for authenticating device login, where fig. 14 is a schematic structural diagram of an apparatus for authenticating device login according to an embodiment of the present invention, and as shown in fig. 14, the apparatus includes: a first transmission module 1401, a reception module 1402, and a second transmission module 1403, wherein,
a first sending module 1401, configured to send a first request message to a first device, where the first request message is used to request to acquire credential information; a receiving module 1402, configured to receive a first response message from a first device, where information carried in the first response message includes: credential information; a second sending module 1403, configured to send the first access request message to the server, where information carried in the first access request message includes: signature information, the signature information generated based on the credential information.
Optionally, fig. 15 is a schematic structural diagram of another apparatus for authenticating device login according to an embodiment of the present invention, and as shown in fig. 15, the apparatus includes, in addition to all modules shown in fig. 14: a first security module 1404 for performing a decryption operation on the first response message using the second key information; integrity verification is performed on the first response message using the second key information.
Optionally, fig. 16 is a schematic structural diagram of another apparatus for authenticating device login according to an embodiment of the present invention, and as shown in fig. 16, the apparatus includes, in addition to all modules shown in fig. 15: a second security module 1405, configured to establish a transport layer security connection with the first device, where the transport layer security connection is configured to provide security protection for message transmission with the first device.
Optionally, fig. 17 is a schematic structural diagram of another apparatus for authenticating device login according to an embodiment of the present invention, and as shown in fig. 17, the apparatus includes, in addition to all modules shown in fig. 16: the challenge module 1406 is configured to send a second access request message to the server, where information carried in the second access request includes at least one of the following: the capability indication is used for indicating that the second equipment supports a non-password authentication mode, and the information of the second equipment comprises at least one of the following: an identification of the second device, an internet protocol address of the second device, a name of the second device. Receiving a challenge message from a server, wherein the information carried in the challenge message comprises: challenge information.
It should be noted here that the first sending module 1401, the receiving module 1402 and the second sending module 1403 correspond to steps S61 to S63 in embodiment 1, and the three modules are the same as the corresponding steps in the implementation example and application scenario, but are not limited to the disclosure in the first embodiment. It should be noted that the modules described above as part of the apparatus may be run in the computer terminal 10 provided in the first embodiment.
In the embodiment of the present invention, a first request message is sent to a first device, where the first request message is used to request to acquire credential information, and a first response message from the first device is received, where information carried in the first response message includes: the method comprises the steps of obtaining credential information, and further sending a first access request message to a server, wherein the information carried in the first access request message comprises: the signature information is generated based on the certificate information, so that the aim of carrying out password-free authentication on the current equipment by synchronizing the certificate information with the target equipment is fulfilled, the technical effect of synchronizing the password-free authentication certificates on different equipment is realized, and the technical problem that the authentication certificates cannot be synchronized on different equipment by a method for carrying out password-free authentication based on FIDO2 in the prior art is solved.
It should be noted that, reference may be made to the relevant description in embodiment 1 for a preferred implementation of this embodiment, and details are not described here again.
Example 3
There is also provided, in accordance with an embodiment of the present invention, an embodiment of an electronic device, which may be any one of a group of computing devices. The electronic device includes: a processor and a memory, wherein:
a memory coupled to the processor for providing instructions to the processor for processing the following processing steps: sending a first request message to a first device, wherein the first request message is used for requesting to acquire credential information; receiving a first response message from the first device, wherein information carried in the first response message includes: credential information; sending a first access request message to a server, wherein the information carried in the first access request message comprises: signature information, the signature information generated based on the credential information.
In the embodiment of the present invention, a first request message is sent to a first device, where the first request message is used to request to acquire credential information, and a first response message from the first device is received, where information carried in the first response message includes: the method comprises the steps of obtaining credential information, and further sending a first access request message to a server, wherein the information carried in the first access request message comprises: the signature information is generated based on the certificate information, so that the aim of carrying out password-free authentication on the current equipment by synchronizing the certificate information with the target equipment is fulfilled, the technical effect of synchronizing the password-free authentication certificates on different equipment is realized, and the technical problem that the authentication certificates cannot be synchronized on different equipment by a method for carrying out password-free authentication based on FIDO2 in the prior art is solved.
It should be noted that, reference may be made to the relevant description in embodiment 1 for a preferred implementation of this embodiment, and details are not described here again.
Example 4
The embodiment of the invention can provide a computer terminal which can be any computer terminal device in a computer terminal group. Optionally, in this embodiment, the computer terminal may also be replaced with a terminal device such as a mobile terminal.
Optionally, in this embodiment, the computer terminal may be located in at least one network device of a plurality of network devices of a computer network.
In this embodiment, the computer terminal may execute the program code of the following steps in the method for authenticating device login: sending a first request message to a first device, wherein the first request message is used for requesting to acquire credential information; receiving a first response message from the first device, wherein information carried in the first response message includes: credential information; sending a first access request message to a server, wherein the information carried in the first access request message comprises: signature information, the signature information generated based on the credential information.
Optionally, fig. 18 is a block diagram of another structure of a computer terminal according to an embodiment of the present invention, and as shown in fig. 18, the computer terminal may include: one or more (only one of which is shown) processors 122, memory 124, and peripherals interface 126.
The memory may be configured to store software programs and modules, such as program instructions/modules corresponding to the method and apparatus for authenticating device login in the embodiments of the present invention, and the processor executes various functional applications and data processing by operating the software programs and modules stored in the memory, that is, the method for authenticating device login is implemented. The memory may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory may further include memory located remotely from the processor, and these remote memories may be connected to the computer terminal through a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The processor can call the information and application program stored in the memory through the transmission device to execute the following steps: sending a first request message to a first device, wherein the first request message is used for requesting to acquire credential information; receiving a first response message from the first device, wherein information carried in the first response message includes: credential information; sending a first access request message to a server, wherein the information carried in the first access request message comprises: signature information, the signature information generated based on the credential information. Optionally, the processor may further execute the program code of the following steps: the credential information includes at least one of: server identification, user information, first key information and authorization information.
Optionally, the processor may further execute the program code of the following steps: the server identification is for at least one of: identifying a server, identifying a service on the server, information needed to access the server, and information needed to access the service on the server; the user information includes: a user name or user identification; the first key information includes at least one of: the first public key, the first private key and the first key identification; the authorization information includes at least one of: fingerprint information, face information, passwords, personal identification numbers.
Optionally, the processor may further execute the program code of the following steps: the information carried in the first access request information further includes at least one of: user information, server identification.
Optionally, the processor may further execute the program code of the following steps: after receiving the first response message from the first device: performing a decryption operation on the first response message using the second key information; integrity verification is performed on the first response message using the second key information.
Optionally, the processor may further execute the program code of the following steps: the second key information includes one of: authorization information, a key generated based on the authorization information.
Optionally, the processor may further execute the program code of the following steps: prior to sending the first request message to the first device: and establishing a transport layer security connection with the first device, wherein the transport layer security connection is used for providing security protection for message transmission with the first device.
Optionally, the processor may further execute the program code of the following steps: prior to sending the first request message to the first device: sending a second access request message to the server, wherein the information carried in the second access request comprises at least one of the following information: the capability indication is used for indicating that the second equipment supports a password-free authentication mode, and the information of the second equipment comprises at least one of the identification of the second equipment, the Internet protocol address of the second equipment and the name of the second equipment. Receiving a challenge message from a server, wherein the information carried in the challenge message comprises: challenge information.
Optionally, the processor may further execute the program code of the following steps: the information carried in the challenge message also includes: information of the first device, wherein the information of the first device includes at least one of: an identification of the first device, an internet protocol address of the first device, a name of the first device.
Optionally, the processor may further execute the program code of the following steps: the signature information is generated using credential information and challenge information.
The processor can call the information and application program stored in the memory through the transmission device to execute the following steps: receiving a first access request message from a second device, wherein information carried in the first access request message includes: the signature information is generated based on the credential information acquired by the second device; and verifying the signature information.
Optionally, the processor may further execute the program code of the following steps: prior to receiving the first access request message of the second device: receiving a second access request message from the second device, wherein the information carried in the second access request message includes: the capability indication is used for indicating that the second equipment supports a non-password authentication mode, and the information of the second equipment comprises at least one of the following: an identification of the second device, an internet protocol address of the second device, a name of the second device.
Optionally, the processor may further execute the program code of the following steps: after receiving the second access request message: sending a challenge message to the second device, wherein the information carried in the challenge message includes: challenge information.
Optionally, the processor may further execute the program code of the following steps: the information carried in the challenge message further includes at least one of: information of a first device, wherein the information of the first device includes: an identification of the first device, an internet protocol address of the first device, a name of the first device.
Optionally, the processor may further execute the program code of the following steps: and verifying the signature information by adopting the certificate information.
The processor can call the information and application program stored in the memory through the transmission device to execute the following steps: receiving a first request message from the second device, wherein the first request message is used for requesting to acquire credential information; sending a first response message to the second device, wherein the information carried in the first response message includes: credential information.
Optionally, the processor may further execute the program code of the following steps: the credential information includes at least one of: server identification, user information, first key information and authorization information.
Optionally, the processor may further execute the program code of the following steps: the server identification is for at least one of: an identification server, a service on the identification server, an access server, a service on the access server; the user information includes: a user name or user identification; the first key information includes at least one of: the first public key, the first private key and the first key identification; the authorization information includes at least one of: fingerprint information, face information, passwords, personal identification codes.
Optionally, the processor may further execute the program code of the following steps: prior to receiving the first request message from the second device: credential information is received from a first device.
Optionally, the processor may further execute the program code of the following steps: prior to sending the first response message to the second device: and obtaining the authorization information. In the embodiment of the present invention, a first request message is sent to a first device, where the first request message is used to request to acquire credential information, and a first response message from the first device is received, where information carried in the first response message includes: the method comprises the steps of obtaining credential information, and further sending a first access request message to a server, wherein the information carried in the first access request message comprises: the signature information is generated based on the certificate information, so that the aim of carrying out password-free authentication on the current equipment by synchronizing the certificate information with the target equipment is fulfilled, the technical effect of synchronizing the password-free authentication certificates on different equipment is realized, and the technical problem that the authentication certificates cannot be synchronized on different equipment by a method for carrying out password-free authentication based on FIDO2 in the prior art is solved.
It can be understood by those skilled in the art that the structure shown in fig. 18 is only an illustration, and the computer terminal may also be a terminal device such as a smart phone (e.g., an Android phone, an iOS phone, etc.), a tablet computer, a palm computer, a Mobile Internet Device (MID), a PAD, etc. Fig. 18 does not limit the structure of the electronic device. For example, the computer terminal may also include more or fewer components (e.g., network interfaces, display devices, etc.) than shown in FIG. 18, or have a different configuration than shown in FIG. 18.
Those skilled in the art will appreciate that all or part of the steps in the methods of the above embodiments may be implemented by a program instructing hardware associated with the terminal device, where the program may be stored in a computer-readable storage medium, and the storage medium may include: flash disks, read-Only memories (ROMs), random Access Memories (RAMs), magnetic or optical disks, and the like.
According to an embodiment of the present invention, there is also provided an embodiment of a storage medium. Optionally, in this embodiment, the storage medium may be configured to store a program code executed by the method for authenticating device login provided in embodiment 1.
Optionally, in this embodiment, the storage medium may be located in any one of computer terminals in a computer terminal group in a computer network, or in any one of mobile terminals in a mobile terminal group.
Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps: sending a first request message to a first device, wherein the first request message is used for requesting to acquire credential information; receiving a first response message from the first device, wherein information carried in the first response message includes: credential information; sending a first access request message to a server, wherein the information carried in the first access request message comprises: signature information, the signature information generated based on the credential information.
Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps: the credential information includes at least one of: server identification, user information, first key information and authorization information.
Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps: the server identification is for at least one of: identifying a server, identifying a service on the server, information needed to access the server, and information needed to access the service on the server; the user information includes: a user name or user identification; the first key information includes at least one of: the first public key, the first private key and the first key identification; the authorization information includes at least one of: fingerprint information, face information, passwords, personal identification codes.
Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps: the information carried in the first access request information further includes at least one of: user information, server identification.
Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps: after receiving the first response message from the first device: performing a decryption operation on the first response message using the second key information; integrity verification is performed on the first response message using the second key information.
Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps: the second key information includes one of: authorization information, a key generated based on the authorization information.
Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps: prior to sending the first request message to the first device: and establishing a transport layer security connection with the first device, wherein the transport layer security connection is used for providing security protection for message transmission with the first device.
Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps: prior to sending the first request message to the first device: sending a second access request message to the server, wherein the information carried in the second access request comprises at least one of the following information: the capability indication is used for indicating that the second equipment supports a password-free authentication mode, and the information of the second equipment comprises at least one of the identification of the second equipment, the Internet protocol address of the second equipment and the name of the second equipment. Receiving a challenge message from a server, wherein the information carried in the challenge message comprises: challenge information.
Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps: the information carried in the challenge message also includes: information of the first device, wherein the information of the first device includes at least one of: an identification of the first device, an internet protocol address of the first device, a name of the first device.
Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps: the signature information is generated using credential information and challenge information.
Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps: receiving a first access request message from a second device, wherein information carried in the first access request message includes: the signature information is generated based on the credential information acquired by the second device; and verifying the signature information.
Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps: prior to receiving the first access request message of the second device: receiving a second access request message from the second device, wherein the information carried in the second access request message includes: the capability indication is used for indicating that the second equipment supports a non-password authentication mode, and the information of the second equipment comprises at least one of the following: an identification of the second device, an internet protocol address of the second device, a name of the second device.
Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps: after receiving the second access request message: sending a challenge message to the second device, wherein the information carried in the challenge message includes: challenge information.
Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps: the information carried in the challenge message further includes at least one of: information of a first device, wherein the information of the first device includes: an identification of the first device, an internet protocol address of the first device, a name of the first device.
Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps: and verifying the signature information by adopting the certificate information.
Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps: receiving a first request message from the second device, wherein the first request message is used for requesting to acquire credential information; sending a first response message to the second device, wherein the information carried in the first response message includes: credential information.
Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps: the credential information includes at least one of: server identification, user information, first key information and authorization information.
Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps: the server identification is for at least one of: an identification server, a service on the identification server, an access server, a service on the access server; the user information includes: a user name or user identification; the first key information includes at least one of: the first public key, the first private key and the first key identification; the authorization information includes at least one of: fingerprint information, face information, passwords, personal identification codes.
Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps: prior to receiving the first request message from the second device: credential information is received from a first device.
Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps: prior to sending the first response message to the second device: and obtaining the authorization information.
The above-mentioned serial numbers of the embodiments of the present invention are only for description, and do not represent the advantages and disadvantages of the embodiments.
In the above embodiments of the present invention, the description of each embodiment has its own emphasis, and reference may be made to the related description of other embodiments for parts that are not described in detail in a certain embodiment.
In the embodiments provided in the present invention, it should be understood that the disclosed technical contents can be implemented in other manners. The above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one type of logical functional division, and other divisions may be implemented in practice, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed coupling or direct coupling or communication connection between each other may be an indirect coupling or communication connection through some interfaces, units or modules, and may be electrical or in other forms.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic disk, or an optical disk, and various media capable of storing program codes.
The foregoing is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and amendments can be made without departing from the principle of the present invention, and these modifications and amendments should also be considered as the protection scope of the present invention.
Claims (22)
1. A method for authenticating device login is characterized by comprising the following steps:
sending a first request message to a first device, wherein the first request message is used for requesting to acquire credential information;
receiving a first response message from the first device, wherein information carried in the first response message includes: the credential information;
sending a first access request message to a server, wherein information carried in the first access request message includes: signature information generated based on the credential information.
2. The method of claim 1, wherein the credential information comprises at least one of:
server identification, user information, first key information and authorization information.
3. The method of claim 2,
the server identification is for at least one of: identifying the server, identifying a service on the server, information needed to access the service on the server;
the user information includes: a user name or user identification;
the first key information includes at least one of: the first public key, the first private key and the first key identification;
the authorization information includes at least one of: fingerprint information, face information, passwords, personal identification numbers.
4. The method of any of claims 1 to 3, wherein the information carried in the first access request information further comprises at least one of:
user information, server identification.
5. The method of any of claims 1 to 4, wherein after receiving the first response message from the first device, the method further comprises at least one of:
performing a decryption operation on the first response message using second key information;
and performing integrity verification on the first response message by using the second key information.
6. The method of claim 5, wherein the second key information comprises one of:
authorization information, a key generated based on the authorization information.
7. The method according to any of claims 1 to 6, wherein prior to sending the first request message to the first device, the method further comprises:
and establishing a transport layer secure connection with the first device, wherein the transport layer secure connection is used for providing secure protection for message transmission with the first device.
8. The method according to any of claims 1 to 7, wherein prior to sending the first request message to the first device, the method further comprises:
sending a second access request message to the server, wherein the information carried in the second access request includes at least one of the following: the capability indication is used for indicating that the second equipment supports a password-free authentication mode, and the information of the second equipment comprises at least one of the identification of the second equipment, the Internet protocol address of the second equipment and the name of the second equipment.
Receiving a challenge message from the server, wherein information carried in the challenge message includes: challenge information.
9. The method of claim 8, wherein the information carried in the challenge message further comprises:
information of a first device, wherein the information of the first device comprises at least one of: an identity of the first device, an internet protocol address of the first device, a name of the first device.
10. The method of claim 8 or 9, wherein the signature information is generated based on the credential information, comprising: the signature information is generated by using the credential information and the challenge information.
11. A method for authenticating device login is characterized by comprising the following steps:
receiving a first access request message from a second device, wherein information carried in the first access request message includes: signature information generated based on credential information acquired by the second device;
and verifying the signature information.
12. The method of claim 11, further comprising, prior to receiving the first access request message from the second device:
receiving a second access request message from the second device, wherein information carried in the second access request message includes: the capability indication is used for indicating that the second device supports a password-free authentication mode, and the information of the second device comprises at least one of the following: an identity of the second device, an internet protocol address of the second device, a name of the second device.
13. The method of claim 12, further comprising, after receiving the second access request message:
sending a challenge message to the second device, where information carried in the challenge message includes: challenge information.
14. The method of claim 13, wherein the information carried in the challenge message further comprises: at least one of:
information of a first device, wherein the information of the first device includes: an identity of the first device, an internet protocol address of the first device, a name of the first device.
15. The method of claim 11, wherein performing login verification on the signed information comprises:
verifying the signature information using the credential information.
16. A method for authenticating device login is characterized by comprising the following steps:
receiving a first request message from a second device, wherein the first request message is used for requesting to acquire credential information;
sending a first response message to the second device, where information carried in the first response message includes: the credential information.
17. The method of claim 16, wherein the credential information comprises at least one of:
server identification, user information, first key information and authorization information.
18. The method of claim 17,
the server identification is for at least one of: identifying the server, identifying a service on the server, accessing a service on the server;
the user information includes: a user name or user identification;
the first key information includes at least one of: the first public key, the first private key and the first key identification;
the authorization information includes at least one of: fingerprint information, face information, passwords, personal identification codes.
19. The method according to any of claims 16 to 18, wherein prior to receiving the first request message from the second device, the method further comprises:
receiving the credential information from the first device.
20. The method of any of claims 16 to 18, wherein prior to sending the first response message to the second device, the method further comprises:
and obtaining the authorization information.
21. A computer-readable storage medium, comprising a stored program, wherein when the program runs, the program controls a device on which the computer-readable storage medium is located to execute the method for authenticating device login according to any one of claims 1 to 20.
22. An electronic device, comprising:
a processor; and
a memory coupled to the processor for providing instructions to the processor for processing the following processing steps:
sending a first request message to a first device, wherein the first request message is used for requesting to acquire credential information;
receiving a first response message from the first device, wherein information carried in the first response message includes: the credential information;
sending a first access request message to a server, wherein information carried in the first access request message includes: signature information generated based on the credential information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210646121.8A CN115189885A (en) | 2022-06-09 | 2022-06-09 | Method for authenticating equipment login, storage medium and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210646121.8A CN115189885A (en) | 2022-06-09 | 2022-06-09 | Method for authenticating equipment login, storage medium and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115189885A true CN115189885A (en) | 2022-10-14 |
Family
ID=83513602
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210646121.8A Pending CN115189885A (en) | 2022-06-09 | 2022-06-09 | Method for authenticating equipment login, storage medium and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115189885A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116866093A (en) * | 2023-09-05 | 2023-10-10 | 鼎铉商用密码测评技术(深圳)有限公司 | Identity authentication method, identity authentication device, and readable storage medium |
| TWI831577B (en) * | 2023-01-16 | 2024-02-01 | 臺灣網路認證股份有限公司 | System for centralizing relying parties and registration authorities to provide certification service and method thereof |
-
2022
- 2022-06-09 CN CN202210646121.8A patent/CN115189885A/en active Pending
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TWI831577B (en) * | 2023-01-16 | 2024-02-01 | 臺灣網路認證股份有限公司 | System for centralizing relying parties and registration authorities to provide certification service and method thereof |
| CN116866093A (en) * | 2023-09-05 | 2023-10-10 | 鼎铉商用密码测评技术(深圳)有限公司 | Identity authentication method, identity authentication device, and readable storage medium |
| CN116866093B (en) * | 2023-09-05 | 2024-01-05 | 鼎铉商用密码测评技术(深圳)有限公司 | Identity authentication method, identity authentication device, and readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11764966B2 (en) | Systems and methods for single-step out-of-band authentication | |
| US9954687B2 (en) | Establishing a wireless connection to a wireless access point | |
| US9038138B2 (en) | Device token protocol for authorization and persistent authentication shared across applications | |
| US9185096B2 (en) | Identity verification | |
| JP2023166562A (en) | First factor contactless card authentication system and method | |
| EP2879421B1 (en) | Terminal identity verification and service authentication method, system, and terminal | |
| CN115189885A (en) | Method for authenticating equipment login, storage medium and electronic equipment | |
| US8397281B2 (en) | Service assisted secret provisioning | |
| CN114788226A (en) | Unmanaged tool for building decentralized computer applications | |
| CN111143474B (en) | One-key binding changing method for mobile phone number based on block chain technology | |
| US20150244695A1 (en) | Network authentication method for secure user identity verification | |
| CN106161475B (en) | Method and device for realizing user authentication | |
| CN111800377B (en) | Mobile terminal identity authentication system based on safe multi-party calculation | |
| US11182464B2 (en) | Mobile key via mobile device audio channel | |
| CN111901304B (en) | Registration method and device of mobile security equipment, storage medium and electronic device | |
| CN111949959B (en) | Authorization authentication method and device in Oauth protocol | |
| CN111405016B (en) | User information acquisition method and related equipment | |
| CN116097615B (en) | Authentication using key agreement | |
| KR20150125019A (en) | Personal portable secured network access system | |
| CN107204959B (en) | Verification method, device and system of verification code | |
| CN112241548A (en) | User authentication and authorization based on block chain and authentication and authorization method | |
| CN116528230A (en) | Verification code processing method, mobile terminal and trusted service system | |
| EP2940618A1 (en) | Method, system, user equipment and program for authenticating a user | |
| WO2018099407A1 (en) | Account authentication login method and device | |
| KR20180028751A (en) | User Authentication Method and Apparatus Using Digital Certificate on FIDO 2.0 Method Thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| REG | Reference to a national code |
Ref country code: HK Ref legal event code: DE Ref document number: 40081814 Country of ref document: HK |